Here is the software hackers use to steal your passwords

Hackers rely on a variety of tools to force access to your online accounts. Here is a selection of the best in the field.

Password theft and smuggling is – as we know – one of the pillars of cybercriminal activity. According to security researchers at Digital Shadows, more than 24 billion username-password pairs have been stolen in the past six years before ending up in hacker forums and other illicit stores.

But how do hackers manage to recover all these passwords? What techniques do they use? Of course, according to the Digital Shadows report, email phishing remains the royal way to access Internet users’ secret codes. But there are also more specialized and lesser-known tools that hackers use to achieve their goals.

Redline, the data vacuum cleaner

Because phishing may not always work or be suitable, hackers can use malicious code to siphon passwords stored on a system. One of the most used software in this case is Redline Information Stealer. It costs about $200 and is relatively easy to implement. Hackers often send it through booby-trapped messages in the form of an Excel extension (XLL).

Digital Shadows / Redline support service on Telegram

Once installed on a computer, it will search it from top to bottom. In particular, it will scrape data stored in web browsers where it can recover cookies or precisely passwords. Redline is also able to detect the existence of certain processes, such as antivirus. This makes it possible to create relatively complex attack strategies. If it works, it’s the jackpot. Because compared to phishing, the malware makes it possible to recover many identifiers at once.

OpenBullet, the credential stuffing specialist

The pirate who has a batch of identifiers will try to make the most of this asset. How ? By using these identifiers on other websites. In fact, everyone knows that many Internet users use the same password on several websites. Of course, there is no question of doing this by hand. According to Digital Shadows, the most popular software for automating this task is OpenBullet. It is often used in conjunction with a proxy service so that the IP address can change with each connection attempt. This allows hackers to remain discreet and avoid being blocked by an online service.

Digital Shadows / OpenBullet website

Available for free on GitHub, Open Bullet was originally created by security researchers to make penetration testing easier. However, for it to work well, the user must define “configs” that allow the software to manage the authentication process correctly. Specifically, the tool needs to know where to place the username and password and be able to register a successful connection. But don’t panic: these configurations are sold in hacker forums. Pirates therefore really don’t need to crack their heads.

HashCat, the fingerprint cracker

When hackers manage to gain access to user databases, they generally do not recover plain text passwords, but only their cryptographic fingerprints (“hashes”). This is a one-way mathematical transformation that allows validating a password entry without having to manipulate the actual password. In theory, no online service should store passwords in plain text, only cryptographic fingerprints.

By definition, there is no simple method to find a password from its hash. The only way to do this is to calculate the hashes of many passwords and compare them to the password you are looking for. It’s often long and tedious, which is why hackers use software, in this case HashCat.

Digital Shadow / HashCat is used in command lines

Its advantage is that it allows you to define calculation strategies to go faster. You can e.g. load one or more “dictionaries”, i.e. large collections of frequently used passwords. Hackers can also define “masks” for these dictionaries, in other words, patterns for constructing passwords. Example: a word that begins with a capital letter and ends with a number and a special character. This is one of the most used patterns by internet users. But it is possible to program much more complex patterns. The goal is to avoid as much as possible brute force computation, stupid, ugly and very slow.


Digital shadows

Leave a Comment